Why more Snapchat-like hacks will occur in 2014

UPDATE: At 3:55 p.m. Pacific, Snapchat spokeswoman Mary Ritti notified CyberTruth that the company plans to release an update that will allow users to opt out of appearing in the "Find Friends" function. The company will also improve rate limiting and other restrictions to "address future attempts to abuse our service."

SEATTLE - Hacks like the one that exposed personal information for 4.6 million Snapchat users last week are likely to become commonplace in 2014.

That's because entrepreneurs are moving faster than ever in a multi-billion dollar race to create hot new social apps at a time when locking down databases containing consumer information is getting more complex.

Snapchat is an über popular instant messaging service that collects rich data about what you're interested in and who you associate with online. Most social apps are crafted to work seamlessly on personally-owned smartphones and touch tablets -- the devices many of use as part of the Bring Your Own Device to work craze.

Many of the hottest contenders to become the next Snapchat are pursuing business models built around amassing Internet-enabled databases full of consumer and work-related information. This information is sold to advertisers. But because it is stored dynamically on a web-enabled database it also becomes a fat, juicy target for cybercriminals.

"There is a high desire to monetize these new apps, combined with low technical sophistication and a significant security challenge," says Kevin O'Brien, director of product marketing, at cloud security vendor CloudLock. "Millions of apps put out for the first time will get things wrong, and expose that information."

It's a red-hot, fast-moving phenomenon. Venture capitalists are throwing small fortunes in speculative funding at promising social app startups. And new code-writing tools make the development of apps easier than ever.

Yet protecting databases has never been more complex. It's time-consuming to grasp the scope and scale of security weaknesses introduced by online data gathering at warp speed. And it's costly and time-consuming to plan and execute a robust defense. App developers, and their investor angels, aren't known for patience.

Marc Maiffret, CTO at security firm BeyondTrust, says that even if a popular app functions well, dealing with the security implications remains a separate, demanding challenge.

"We definitely can always look forward to more breaches as the overriding goal of most technology companies is still bringing feature rich and differentiated technology to market as quick as possible and sometimes that means security takes a back seat,"

A reputable Australian security research outfit, Gibson Security, first contacted Snapchat about major vulnerabilities in its database application last August 27. When Snapchat failed to respond, Gibson on Christmas day publicly posted notice of numerous weaknesses in the APIs Snapchat uses to enable other apps to tie into its services.

"It is hard to tell how much effort Gibson took to make sure Snapchat knew about what they discovered. It is clear now that Snapchat didn't rush to fix the issue," says Chris Wysopal, chief technology officer at security firm Veracode.

To keep pressure on vendors to fix flaws, US-CERT, the Carnegie Mellon outfit that keeps track of known vulnerabilities in operating systems and apps, gives vendors 45 days to fix issues before making them public.

What Snapchat did next baffles some in the cybersecurity community. On Dec. 27, the company issued a blog post acknowledging the flaws identified by Gibson Security, and pointed out recent countermeasures. But Snapchat also disclosed how the flaws theoretically could be exploited, says O'Brien.

A short time after Snapchat posted its mea culpa, a hacktivist -- on New Year's eve -- broke into Snapchat's database and pilfered 4.6 million customer names and phone numbers. "They (Snapchat) should have privately reached out to Gibson, said 'thank you' and spelled out how they planned to resolve it," says O'Brien.

Snapchat has not responded to CyberTruth's request for an interview.

"This is a form of hacktivism, and hacktivism is definitely on the rise these days," says Oscar Marquez, chief product officer at Total Defense. "This should definitely be a wake-up call for both users and organizations with an online presence. "

Roel Schouwenberg, principal security researcher at Kaspersky Lab, says that the names and phone numbers exposed by the hacktivist almost surely are being milked by others in the cyberunderground. "It's a pretty safe bet to assume at least all of the U.S. phone numbers have been tried and mapped," Schouwenberg says.

Phone numbers are perfect for ruses in which a scammer calls the target pretending to be a bank, a utility or other service provider, requesting an online payment. "There are a lot of possibilities for the attackers so it's important to be vigilant, especially as the information that's out there can't be easily changed," Schouwenberg says.

Roger Thompson, chief researcher at ICSA Labs, a vendor-neutral testing and certification firm, says we should all keep our eyes wide open to the notion that data-harvesting apps, like Snapchat, are built for functionality, not security.

"The moral of the story is that we have to be thoughtful about what information we put online, because it might just leak," Thompson says.